15 posts in this topic

The SpamCop Glossary currently exists in three "flavors". This forum version; the new SpamCop Dictionary version; and the newest, a Wiki "flavor", that includes extensive cross indexing

Note: additions, corrections, suggestions, etc are encouraged and will be merged into this consolidated glossary after allowing amply time for comment. Please post your comments in this thread. After they have been consolidated they will be moved to the archive SpamCop Glossary Archive, Historical record of changes and posts Click on the link to jump to Archive. For terms not included in this glossary please see the entry Additional Glossary Sources found at the conclusion of this glossary.

Note: All underlined text (regardless of color) found in the glossary is an indication of a clickable link. These links vary as to how they function. Some links will simply jump you to another part of the glossary (using the browser "back" button will return you to your previous location); while other links will open up a new window. Color coding in the glossary is used to grab attention or to aid in readability.

Clicking on any of the index items above will jump you to that entry below. Using the browser's back button will return you to the index.

A special thanks to Wazoo for getting the index to work.

/dev/null'ing

Sending something nowhere. SpamCop's parser discards messages by sending them to user#domain[at]devnull.spamcop.net (this is a pseudo-Report because it doesn't go anywhere, but it does get recorded in the statistics and can help keep an SCBL listing alive). Reasons for discarding reports include bouncing of previous Reports that were sent to user[at]domain, as well as SpamCop Deputy and SpamCop Admin intervention due to listwashing, ROKSO listing, obviously ignoring reports, passing reports to inappropriate places, etc.

The derivation of this term is the Unix Null Device /dev/null. Other terms for the same concept include vaporization, deletion, and sending something to a data sink, Bit Bucket, DOS's NUL:, trash can, or round file.

Acronyms have always been an integral part of computer culture, and they have since spawned a new language on the Internet. Commonly thought of as a series of letters that make up a "word" there is a distinction between acronyms and shorthand.

Online enthusiasts, primarily millennials, are learning that shorthand are in fact called acronyms, but this is incorrect. The difference between acronyms and shorthand is that with acronyms, you pronounce the letters as a new word (for example, FUBAR is pronounced "foo-bar" and RADAR is pronounced "ray-dar"). In contrast, shorthand pronunciations are always to say the letters one-by-one and not pronounce it as a word (for example, FYI is pronounced "F-Y-I" and BRB is pronounced "B-R-B"). The difference between shorthand and an initialism (or abbreviation) is that the latter refers to the shortening of a word itself, for example "esp" for "especially." The online practice is to refer to any shorthand or abbreviation as an acronym.

BBCode is short for Bulletin Board Code. It is used as a way for formatting posts made on message boards, blogs and more. It is similar to HTML in the sense that in BBCode one does also use tags to format something specific (contained within the tag). In BBCode, tags are indicated by rectangular brackets surrounding a keyword, which is in turn transformed into HTML before being delivered to a web browser.

BBCode was implemented as method of providing a safer and easier way of allowing posts to be formatted on forums. Before BBCode, forums sometimes allowed users to include HTML code in their posts, which had many security issues (i.e. the user could execute java scri_pt code, break the layout of the site and so on). With BBCode being parsed by the forum scripts, it is easier to control what the user can do and can not do (allowing or not allowing specific BBCode tags).

The basic BBCode tags are often very similar across many different forums (which includes the SpamCopForum) but there are some variants in existence as well. Sometimes BBCode tags have to be in specific cases (i.e. [ b]bold text[ /b] will work, while [ B]bold text[ /B] will not). It is also very different as to which of the more unsafe and/or complex tags that are supported. For instance you cannot always expect the [ img] image tag to be supported as allowing posters unlimited power to post any picture they like could have some pretty nasty effects.

Note: space added at the beginning of each BBCode tag to stop them from being rendered in this definition.

Note: in the SpamCopForum, BBCode tags are not case sensitive.

When writing or editing a post in the SpamCopForum, clicking on "BB Code Help" will open up a help screen that contains detailed examples.

Bit Bucket

The universal data sink (originally, the mythical receptacle used to catch bits when they fall off the end of a register during a shift instruction). Discarded, lost, or destroyed data is said to have gone to the bit bucket. On Unix, often used for /dev/null. Sometimes amplified as the Great Bit Bucket in the Sky.

Blackhole

This is a system where suspected spam is accepted by the mail server or user and silently deleted. Neither the sender or the receiver is notified.

This seems to be preferred by many companies as it means that none of their potential customers will see a rejection message, and by many users as they can not tell if a spam filter deleted the message or some other computer glitch deleted it before it got to their server. When coupled with a whitelisting system where any outgoing e-mail address is whitelisted for a response, the error rate can be almost invisible to the senders and the receivers.

As with the quarantine method, it is a more expensive method than using DNSbls.

Blowback, Backscatter, Misdirected Bounces

Delayed bounces, virus notices, out-of-office messages and other forms of auto-responses that are frequently mis-directed, basing their targets on data found within forged header lines. In the past, these types of notifications were a nicety. However, as the spammers have once again used a "feature" of something developed under the "trusted users" model to aid in delivering their spew, this activity of e-mail servers has moved into the "bad"zone. More desirable these days is the non-deliverable e-mail will be handled at the time of attempted delivery, such that any rejection notice required is supplied to the sending server, rather than a possible innocent third-party.

More accurately it refers to a mail message that a mail server generates to indicate a mail message is not delivered.

RFCs allow a receiving mail server to generate a bounce, but that is no longer a good practice as for spam or viruses which are now between 50 to 70 percent of incoming e-mail, that bounce will go to some innocent victim, like you.

The preferred practice is for the receiving mail server to issue an SMTP reject code if it can not deliver the e-mail, and then the sending mail server will generate a bounce.

Since spam and most recent viruses are not sent through real mail servers, no bounce message will be generated for them.

Breidbart Index (BI)

A weighted measure of posting and cross posting of an article in newsgroups in which an index of 20 or greater is taken by some administrators to be a spamming violation and the posts liable to cancellation.

The Breidbart Index is defined as the sum of the square roots of n (n is the number of newsgroups each copy was posted to).

Example: If two copies of a posting are made, one to 9 groups, and one to 16, the Breidbart Index is 1*sqrt(9)+1*sqrt(16) = 3+4 = 7

Example: 10 copies of an article are posted, each cross-posted to 4 groups, the BI is 10*sqrt(4) = 20

A cache (pronounced cash) or buffer is basically a local copy or storage area that provides speedy access to stuff that is normally stored elsewhere. Computers cache and buffer information inside and outside their CPUs, in RAM, and on Hard Disks. In the interest of speed and reduced redundant network traffic and load, the Parser caches DNS, WHOIS and abuse.net lookup results (more info on them below) Information about how long the Parser caches those lookup results is confidential, as exact numbers might give the spammers ideas.

Cartooney

The term cartooney refers to the baseless legal threats or the nonexistent lawyers often made by spammers in their attempts to be removed from mail filters. The word can be used either as an adjective or a noun; i.e., "The spammer made cartooney threats" or "The spammer sent me a cartooney".

CatchAll Account

An e-mail account that accepts anything in front of the [at]Domain part of the e-mail address. In the days before spam, this was a normal mode of most all Domain / web-site settings. Now it's more advised to actually define 'real' e-mail accounts to be used by that Domain and reject e-mail sent to non-existent accounts. This is sometimes an issue with various web-hosting plans that may limit the number of e-mail accounts that can be used, but there should normally be enough available to handle things like info[at] sales[at] webmaster[at] etc.

C/R or Challenge Response

A service that issues a challenge to make sure that a human is sending a mail.

When they challenge spam and viruses, they bother innocent people.

If they use SMTP rejects, then only real senders will get the challenges.

Generally an expensive method of spam control, and spammers can easily get around the challenge if they care to by redirecting the challenge to a porn site and promising free porn to the humans that visit the site and answer the challenge.

A challenge response system that does not use SMTP rejects is prone to sending e-mail to spamtraps which will cause other mail servers to refuse the challenges.

The only way that a challenge response system that does not use SMTP rejects to avoid hitting spam traps is if it makes sure that it never issues a challenge to a forged address in a spam or a virus. And of course if it knew how to do that, it would not need to issue a challenge.

Chain Mail

A typical chain letter consists of a message that attempts to induce the recipient to make a number of copies of the letter and then pass them on to two or more new recipients. A chain letter can be considered a type of meme, a self-replicating piece of information that uses a human host to distribute copies of itself. Common methods used by chain letters include emotionally manipulative stories, get-rich-quick pyramid schemes, and the exploitation of superstition to threaten the recipient with bad luck or even physical violence if he or she "breaks the chain" and refuses to adhere by the conditions set out by the letter.

A content filter is one that looks at the contents of a message and tries to guess if it is spam or a real e-mail.

Generally content filters are not vary accurate, and as they require that the mail server allow the transfer of the body of the message, they are more expensive to operate than using DNSbls.

Generally to make up for the inaccuracies in content filters, they are accompanied by a quarantine area to check for errors.

The accuracy of content filters can be greatly enhanced by using conservative DNSbls to keep the bulk of the spam out of the mail server, and then using aggressive DNSbls or fail strict rDNS checks to determine if the content filter should examine the message.

Of the content filter checks, the one that shows the most accuracy is to look up the I.P. address that any web link in the e-mail references, and check it against a DNSbl. But you only want to do that check on e-mail that fails one of the aggressive tests, or you may miss legitimate mail discussing spam and how to fight it.

Content-ID: / cid:

The Uniform Resource Locator (URL) schemes, "cid:" and "mid:" allow references to messages and the body parts of messages. For example, within a single multipart message, one HTML body part might include embedded references to other parts of the same message. (extracted from http://www.ietf.org/rfc/rfc2111.txt )

DNSbl

DNS based blocking system. A DNS server keeps track of IP addresses that meet the listing service's criteria. Also known as BLOCKING LISTS and BLACKHOLE lists.

Mail servers and other network servers can reference them to reject mail or connections, or to decided if they need to examine them further. They also can be used to indicate trusted IP addresses to accept mail or connections.

There are many DNSbls with different criteria.

The spamcop.net DNSbl lists IP addresses that spam has been reported to originate from. It is aggressive, and may list real mail servers.

Some list only IP addresses that have been shown to be compromised and abused by spammers. Others list IP addresses that are known to be controlled by spammers.

These are known as conservative DNSbls.

And some list IP addresses that are DHCP assigned. These are known as Dyanmic list and sometimes DIALUP lists. Many mail servers will not accept e-mail from these addresses.

There are also DNSbls that list all IP addresses for specific ISP's and countries.

Use of conservative DNSbls can block over 80% of the incoming spam usually with out any real e-mail being rejected unless the sender's mail server has a severe security problem. Adding a good DHCP blocking list to that can eliminate most of the remaining spam with a very small chance of rejecting a real e-mail.

An aggressive DNSbl can be used to indicate if additional tests should be done on an incoming e-mail to see if it is spam or real e-mail.

Domain names have an important role in Internet traffic. They provide a straightforward basis for contact with computers, websites and electronic mailboxes belonging to companies, other organizations and private individuals. Using a domain name, an Internet user can, for example, find the site belonging to a company and thus obtain information, view the company's catalogue, place an advertisement, perform a financial transaction, place an order or whatever. In short, domain names make the Internet usable.

Domain names are derived from the unique numbers that all computers on the Internet have. These numbers are known as IP (Internet Protocol) addresses and consist of figures only. Unfortunately, long numbers aren't very easy to remember, so it was decided to use a system whereby you can have a name that corresponds to an IP address. The Internet uses what are known as "domain name servers" to look up the numbers (IP addresses) that these names correspond to. Every domain name is made up of at least two elements. The last element of the name is called the top-level domain. Country code top-level domain names refer to countries; so, for example, there is ".nl" for the Netherlands, ".be" for Belgium and ".de" for Germany (Deutschland).

Not all top-level domain names relate to countries, however. The most commonly seen top=level domains were agreed upon as an aid to identify the type of site you were going to visit. These include ".com" for commercial, ".org" for organization, ".edu" for educational, ".net" for network, ".gov" for government. Recent additions include '.info' for informational and '.biz' for business. However, it must be noted that spammers and hucksters have managed to further muddy the waters that these 'identifying' names were supposed to represent.

The item in front of the top-level domain name is usually the company/personal/entity name of the folks behind the web-site.

The "www:" in front of all of this is also (mostly) a convenience, letting the user know that this is a web site normally accessed via a web-browser using HTTP (HyperText Transfer Protocol) .. You may also see "ftp:" (File Transfer Protocol) or "news:" (Network News Transfer Protocol)

Items seen between the first "protocol" bit and the company/personal/entity name is basically there to guide to to a certain/specific area that is hosted by the folks behind the name. Items seen after the Top-level Domain name (separated by a "/") will take you to a specific web-page on that hosted web-site.

Fastflux

Alternative (somewhat overlapping but complementary) definitions:

A situation wherein a server is "hosted" on some sort of a botnet of disparate (and undoubtedly unknowing) machines. This makes it difficult to resolve and, once it does resolve, the SpamCop parser usually only picks on the first of the rotating roster of addresses.

Generally, the spammer hosts DNS records on compromised computers using a very short time-to-live number. The SpamCop parser may hit one time when there is something actually found at the IP Address found at the time of its DNS look-up, other times it will hit a cached record but the actual payload has already moved.

Flaming

Flaming is the act of posting messages that are deliberately hostile and insulting. It will not be tollerated in the SpamCop Forums with the possible exception of the Lounge, but even there limits do exist.

Differences of opinion are not flaming and are fully welcome here. All we ask is the you follow standard Netiquette. For a more detailed definition see Wikipedia:Flaming

FormMail

Formmail.pl, one of the most-used perl scripts on the Web, is designed to send data entered into a Web form to an e-mail address. This scri_pt could be exploited by a malicious user who could use FormMail as a spam server. If you use this scri_pt, spammers may be able to use it to send spam freely using your server's resources.

A server that is set up to trick an intruder. Located either outside or inside the firewall, it is designed to let crackers think they are in a production machine. The applications running in the honeypot are set up similar to a normal server except that the data being processed is phony.

The honeypot is used to detect intruder's techniques as well as determine what may be vulnerable in the configuration of servers that are performing valid work. A "honeynet" is a network containing honeypots. A "virtual honeynet" is a honeynet that resides in a single server, but pretends to be a full network.

See entry in The Jargon File for additional meanings and usages of the term.

HTML

HyperText Markup Language (HTML) is the most common language of the World Wide Web (WWW). It can be used for formatting purposes in both the SpamCop Forums as well as the SpamCop Wiki, but its use has been limited due to abuses.

In the forums, it has been limited to use within the FAQ related forums only, and further limited to use by only thoses who have previously shown an interest and ability in working on expanding and/or improving the current SpamCop FAQ.

Note: the primary language for formatting within the SpamCop Forums is BB code, which is open to use by all registered users.

In the Wiki it can be used by any registered user but the language itself has been reduced to a "safe" set of commands.

HTTP

HyperText Transfer Protocol - The protocol for moving hypertext files across the Internet. Requires a HTTP client program on one end, and an HTTP server program on the other end. HTTP is the most important protocol used in the World Wide Web .

HyperLink

A HyperLink is a clickable link to another page, document or other resource.

Internet Message Access Protocol (IMAP) is one of the major email protocols along with SMTP and POP3 and belongs to the application layer of the Internet protocol suite.

It is one of the three (four, if you count forwarding) methods for retrieving messages from a SpamCop Email Account. The other two are POP3 and WebMail. You need a local email client to make use of IMAP. Unlike POP3 which will download all unread mail to your local email client, IMAP allows for direct access of your mail on the mail server permitting selective downloading of your messages and also allows for easy moving of messages between different email servers and accounts.

It can also be used in conjunction with the VER interface to make use of the additonal reporting options only available with an SpamCop Email Account.

Innocent Bystander (IB)

An Innocent Bystander (IB) is a URL or URI that is present in spam but is not authorized for such use by its owner.

Spammers will put 'innocent' URLs in their spam to make it look legitimate, for instance references to news articles or government web pages. Other examples include the mandatory advertising placed at the bottom of email messages in footers by free webmail companies and by antivirus software*. In the case of phishing email, nearly all links will be stolen from the Innocent Bystander.

An attempted Report of a URL or URI that is marked as an Innocent Bystander will be met with "ISP does not wish to receive report regarding [the Innocent Bystander]" and possibly "ISP does not wish to receive reports regarding [the Innocent Bystander] - no date available".

*Opinion: It is understood that free webmail companies need to recoup their investments via footer advertising. However, paid antivirus software companies' and paid ISPs are attempting to double-dip (unless they make it very clear in advance to their customers that their prices are significantly lower due to their footer advertising schemes, and give their customers options to pay higher prices for advertising-free products).

IP

An IP is an "Internet Protocol" implementing lower layers of the ISO 7-layer model for purpose of communication.

An "IP address" is something different, and having people call it "an IP" only harms communication.

IP Address

Each device connected to a network, be it a LAN (Local Area Network), a WAN (Wide Area Network), or the Internet has an assigned unique IP (Internet Protocol) Address which identifies that specific device to the rest of the network. For example, Show me my IP Address will take a look at "your" computer and list the address of "your" system. (if you are using a modem to dial into your ISP, this number will likely change at every connection ... cable and DSL modems may have the same address for quite a while) Your ISP has a pool of IP Addresses, some are used to provide their customers with a unique address when on-line, others the ISP use themselves for things like running an e-mail server to handle all the incoming/outgoing e-mail for their customers. (NOTE: the above is very simplified. If/when all the other techy stuff gets added, this block will be revisited and a bunch of items will be added, like "See TCP/IP, Network Protocols, Proxy, etc.)

IPv4 (Internet Protocol version 4) defines the network level of the Internet Protocol on which today's internet is based. It defines an IP address as 32-bit (4 byte) address which can be written in a number of different way. Trying to keep this simple, the reason you need to understand something about it, is that SpamCop uses IP addresses as defined by IPv4 in its attempt to filter out spam from the internet.

IP addresses can be written in many different forms, but the one used exclussively by SpamCop is the Dot-decimal notation. All address fall within the range of 0.0.0.0 to 255.255.255.255.

The addresses that are most important to SpamCop are the IP Addresses of the Mail Server(s) used to send/receive email. Without knowing the specific IP addresses involved in handling your email, it is impossilbe to know why you mail may not be getting to it's intended destination.

The number of unassigned Internet addresses, based on IPv4 is running out, so a new classless scheme called CIDR is gradually replacing the system based on classes A, B, and C and is tied to adoption of IPv6 (Internet Protocol version 6).

IPv6 (Internet Protocol version 6) was created to deal with the address shortage under IPv4 and allows for a near unlimited supply. It is currently in use in the internet but only represents a very small amount of today's traffic. SpamCop currently does not work with IPv6 addresses which are normally written as eight groups of four hexadecimal digits. IPv6 addresses are 128 bits long compared to the 16 bit addresses of IPv4.

Internet Service Provider .... the company you are giving your money to that lets you then connect to the Internet, send and receive e-mail, interact with some strange people, check the weather without having to get out of bed .. all those important things

Jargon

Definition 2 of the noun "jargon" per Merriam-Webster is "the technical terminology or characteristic idiom of a special activity or group". In the case of this Glossary (which attempts to explain SpamCop Jargon), the special activity is spam-fighting via SpamCop, and the group is spam-fighters or anti-spammers who use SpamCop. For more generic computer or hacker jargon, please see The Jargon File.

Joe Job

1. A "joe job" is a spam run forged to appear to come from another innocent party, with the intention of generating complaints about the victim and damaging their reputation.

2. A Joe job is an e-mail spam designed to tarnish the reputation of an innocent third party. Despite having existed since at least 1996, Joe jobs are uncommon compared to other types of spam because they provide no commercial benefit to the Joe jobber.

3. A "joe job" is something far above and distinct from the all too typical spammer construct of a "From" Address Forgery

Spammers use List Washing as a method of removing "trouble makers" (those who have filed formal complaints) from their mailing list. This generally does not include those who have simply sent an unsubscribe request. Spammers use unsubscribe requests as a means to validate their mailing list and to create additional lists of address that are know to open and read spam messages. These lists are considered extremely valuable to spammers who sell the list as validated email addresses.

Responsible list managers may use the process of list washing but the term should not be used in this context. List mantenance, merger/purge are better terms to use when talking about responsible list management where all unsubscribe requests are promptly processed and addresses are not added until they have been positively confirmed. The process can also be used to fine tune their lists for the specific needs or desires of their clients/subscribers.

Due to file space limitations, the glossary has been broken up into multiple posts.

See post #2 for next section of the Glossary

Edited March 5, 2015 by turetzsrAdded links to new entries "Parse," "Parser Page" and "Parsing."

Share this post

Link to post

Share on other sites

Note: the Glossary has been broken up into sections due to file space limitations.

See post #1 for previous section of the Glossary

Mail-Host Configuration

Procedure of "training" the SpamCop parser to identify the mail-hosts / e-mail servers that "your" e-mail travels through on its way to your InBox. The primary purposes of configuring your account is to help identify some spammer forgery and manipulation of the spam headers to point to innocent ISPs and to help prevent folks from reporting themselves or their own ISPs. Nothing is foolproof, blindly trusting any tool is silly, so the requirement that you verify the parser analysis and report targets is still a mandatory part of the agreement between you and SpamCop. It has been stated that performing this configuration on your account will be mandatory at some time in the future.

Manual Report

A Manual Report is a Report that you construct and send by hand. Manual Reports should be sent for cases where you can't or shouldn't send a SpamCop Report. These cases include, but are not limited to:

Network Abuse that is not spam

Viruses

Worms

Worm Poop

Bounces

Double Bounces

Attempts to Relay, Hack, and Crack

Newsgroup Posts that violate a Newsgroup Charter but have BIBreidbart Index less than 20)

URLs that the Parser refuses to find because of its strict adherence to standards

URLs that the Parser refuses to deal with because there are too many (please don't report unclickable URLs)

URLs that the Parser refuses to deal with because they are in java scri_pt

Email Addresses that you know derive benefit from spam (such as those used in 419 Advance Fee Fraud spam emails and in spam emails that do not contain even one URL)

Phone Numbers that you know derive benefit from spam (such as those used in diploma mill spam emails and in spam emails that do not contain even one URL), if you can figure out where to send the Report

Violations of any TOS (Terms Of Service or local equivalent), AUP (Authorized or Acceptable Use or Usage Policy or local equivalent), Rule, Law, Internet Standard, RFC (Request For Comments), and/or BCP (Best Common Practice)

Anything else that a SpamCop Admin or Deputy states shouldn't be reported through SpamCop

Although you may use the SpamCop Parser to identify where to send your Manual Report, "SpamCop" should not appear in that Report, except possibly in the Headers because you received the email through your SpamCop Email System account. Manual Reports should include a minimum of facts and explanation of facts, unless you know the recipients need more, and should be polite. If you have the time to do the research, it helps to quote the chapter and verse (specific Section or Subsection) of the TOS/AUP, Internet Standard(s), and/or RFC(s) that you think is/are being violated. When complaining about commercial use of an MSN Hotmail or Yahoo! account, for instance, I have found the phrases 'in violation of the Term "Unless otherwise specified, the MSN Sites/Services are for your personal and non-commercial use" of your "MSN Terms of Use" per your page http://privacy.msn.com/tou/ and 'exploiting that customer's Yahoo! I.D. and Email portions of your Service for commercial purposes in violation of Term 10 of your Yahoo! Terms of Service at http://docs.yahoo.com/info/terms/ and quoting of whois results to be helpful in expediting the desired results.

Mung (or munge) is computer jargon for "to make repeated changes which individually may be reversible, yet which ultimately result in an unintentional irreversible destruction of large portions of the original item." It was created in 1958 at the Tech Model Railroad Club, at the Massachusetts Institute of Technology. In 1960, the backronym "Mash Until No Good" was created to describe Mung, and a while after that it was revised to "Mung Until No Good"Â—making it one of the few recursive acronyms.

Mung originally had two main meanings: to make large-scale and irrevocable changes to a file and to destroy something. A person who vandalizes a Wiki page would not be munging that page because the changes could be reversed. In the early text-adventure game Zork, also known as Dungeon, the user could mung an object and thereby destroy it, making it impossible to finish the game if the object was an important item.

The spam epidemics of the 1990s have created a new meaning for mung: to modify an e-mail address so that humans can readily reverse it but robots and address harvesters cannot.

Mung also sometimes stands for Multipurpose Unilateral Nonsense Generator, which is a program that will take web pages and run algorithms on them to make them read as if said in a dialectical manner.

MX stands for "mail exchange" or Mail Server. MX is a type of DNS Resource Record, which tells SMTP Senders where to send email for a particular domain (specifically identifying a hostname, which must then have at least one A Record pointing to the IP Address(s) of the Mail Server(s)). "is not an MX for domainname" means that the Mail Server IP Address currently under review by the Parser is not listed in any A Record for any hostname in any MX Record for domainname, and that it therefore is not a registered Mail Server for domainname. Please see RFC 974 MAIL ROUTING AND THE DOMAIN SYSTEM for more information on the use of MX Records.

Netiquette

Netiquette (formed from "Internet etiquette") is a catch-all term for the conventions of politeness to be used when communicating over the internet including Wiki's and Forums. These conventions address group phenomena (such as flaming) with changes in personal behaviour, such as not posting in all uppercase, not (cross-)posting to inappropriate forums, refraining from commercial advertising outside the biz groups, etc.

A newsgroup is a repository for messages posted from many users at different locations. Originally built upon Usenet (a distributed Internet discussion system); newsgroups were/are popular methods of maintaining discussions worldwide on specific subjects. Newsgroups do not have to be part of the Usenet environment, and many reside on single servers providing a place for discussion, feedback and customer support of individual applications and/or services.

A Network Operations Center or NOC (pronounced "nock") is one or more locations from which control is exercised over a computer or telecommunications network, or part thereof.

NSP

A network service provider (NSP) is a business or organization that sells bandwidth or network access by providing direct backbone access to the Internet and usually access to its network access points (NAPs). For such a reason, network service providers are sometimes referred to as backbone providers or internet providers.

An internet service provider (ISP) usually obtains their network access from NSP's and resells that access to consumers and other businesses.

Parser

The SpamCop program that analyzes spam headers and content to look for the spam source, spamvertized links and the abuse address to which to report them.

Parser Page

The SpamCop parser page is the page returned to you when you click the "Process spam" button on the form where you paste in the spam headers and body content.

Parsing

The act of the SC parser (the program that analyzes spam headers and content) to analyze the spam headers.

Phish / Phishing

The practice of sending bogus e-mails that try to trick people into revealing private and / or financial information for purposes of identity theft. AOL needs your password, e-bay is going to close your account if you don't verify your data in the next 12 hours, CitiBank needs your data to verify their records, fantastic opportunities to get a mortgage at a discount with no credit check involved, you are the 1,000th visitor to this web page, on and on, obviously idiotic ploys to get "you" to fill in the blanks.

A contract from an Internet service provider to a spammer exempting the spammer from the usual terms of service prohibiting spamming. Usually pink contracts come about because ISPs can charge the spammer a great deal more than they would a normal client.

POP3

Post Office Protocol version 3 (POP3) is one of the major email protocols along with SMTP and IMAP, and belongs to the application layer of the Internet protocol suite.

It is one of the three (four, if you count forwarding) methods for retrieving messages from a SpamCop Email Account. The other two are IMAP and WebMail. You need a local email client to make use of POP3 which will download all unread mail to your local email client but does allow for the option of leaving a copy of the messages on the server.

Proxy

Software agent that performs a function or operation on behalf of another application or system while hiding the details involved.

A software agent that acts on behalf of a user. Typical proxies accept a connection from a user, make a decision as to whether or not the user or client IP address is permitted to use the proxy, perhaps does additional authentication, and then completes a connection on behalf of the user to a remote destination.

An intermediary program which acts as both a server and a client for the purpose of making requests on behalf of other clients. Requests are serviced internally or by passing them, with possible translation, on to other servers. A proxy must interpret and, if necessary, rewrite a request message before forwarding it. Proxies are often used as client-side portals through network firewalls and as helper applications for handling requests via protocols not implemented by the user agent.

As defined above, a proxy can be a good thing. As such, open and abusable proxies fell into the list of things 'good' about the 'net' that spammers learned to abuse. These days, with spammers and virus writers teaming up, open/abusable proxies are no longer only something set up by an ISP/Hosting service, unfortunately cropping up around the world on home/end user computers. Folks, install and update anti-virus and anti spyware tools, get that firewall installed. Learn to use them all.

PSBL - Passive spam Block List

The Passive spam Block List, or PSBL, uses the Spamikaze software, which works in a really simple way. If one of related spamtraps receives email, the IP address it came from gets listed. After a certain time the IP address times out and is automatically dropped from the list. However, if the IP address belongs to a real mail server, most likely, one of the users of the mail server is going to notice the listing and will remove the mail server from the PSBL. It should be noted that anyone can remove any IP address at any time from this list making it the easiest list to get off of. PSBL also makes available the complete headers and email content of the spam it receives with only the spamtrap address being munged. SpamCop has found it necessary to stop making this information available.

The software is also available to anyone with the desire to set up a similar list at no cost.

Please note that there is no relationship between the PSBL and the SpamCopBL other than their independent but common purpose in trying to stop spam from getting into in inboxes of users who have chosen to make use of their services.

Quarantine

A place that a mail server or mail program will put suspected spam. Generally if there is a high amount of spam in the quarantine area, real message will get lost, or be delayed.

Note that if the mail was rejected instead of quarantined, the sender would have received a bounce generated by their mail server, so would know that the mail was not delivered, so would have been able to make arrangements to get a time critical message.

Ironically, the tagging / quarantine systems are put in because of fear of rejecting a real mail message, but by not issuing an SMTP reject, they introduce human error, and are probably more likely to cause a time critical message to be lost or delayed.

Quick Reporting

Mode of reporting in that ONLY the source of the spam is tracked and reported. Items within the spam body are ignored. When it works, its great within this limited scale of reporting. However, if anything goes wrong, the lack of oversight has caused problems for some users. These problems led to the creation of the MailHost configuration to minimize these errors. However, just as a hammer has the capability of hitting one's thumb rather than the nail on occasion, the decision to use Quick-Reporting should only come after verifying that the spam submittals are parsed correctly .. specifically, that one is not trying to report themselves.

Reverse DNS. The reverse DNS is a service that returns a name assigned to an I.P. address.

An I.P. address can be used by many domain names. The rDNS name is the true name, the rest are aliases, or "knick-names"

Apparently there is a requirement that a mail server identify itself with it's rDNS assigned name when it attempts to deliver e-mail.

The receiving mail server can verify this name against the I.P. address to see if can trust the sending mail server. It is estimated by some internet posters that 80 percent of the incoming spam has bad rDNS data.

Unfortunately there are still too many real mail servers with misconfigured rDNS for many mail servers to use this easy method of sorting out spam.

Report

A SpamCop Report is an email sent to various administrators as suggested by the SpamCop Parsing and Reporting Service. Please see SpamCop Report Types for details on the types of SpamCop Reports that Reporters have the option of sending, and What does a SpamCop Report look like? for details on what a SpamCop Report looks like.

Report Email Address

A Report Email Address is an email address that can be used by the Report's recipient to indirectly email the Reporter for some time after the submission of the Report, incorporates a Report ID, is used as the From Address on the actual Report, and looks kind of like 1466329110[at]reports.spamcop.net but with an [at]-sign in the middle (spam emailed to this address will be treated as such). A report email address could be used to spam you, so you should avoid revealing it.

Report History

SpamCop Report History is an exclusive feature of the SpamCop Parsing and Reporting Service for Paid Reporters (both fuel-based and SpamCop Email System Customers). It shows the history of SpamCop Reports for a particular IP Address or URL. If it is applicable (the Reporter is authorized to view Report History and there is a History of Reports), a "[Report History]" Link will appear in the Parser's output under either "host IP Address = RDNS of IP Address" or "Tracking link: URL", as appropriate. The Report History shows the following for each Report of a spam that implicated that particular IP Address or URL: Date/Time Submitted (grouped by spam); the Subject of the spam (in italics, grouped by spam); Report ID; "( IP Address )" or "( URL )" or "( )" or "( Forwarded spam )"; "To:", and the Email Address of the Report's Recipient (which may include devnull if the intended Recipient's Email Address bounces or refuses Reports, or may be "mole[at]devnull.spamcop.net" for a Mole Report (which is not actually sent)). A typical Report History can be found here. "No recent reports, no history available" will be displayed as appropriate, meaning that no issueid has been assigned to that IP Address or URL. "Cannot find spam reports for issueid = issueid" indicates a database error, in that the IP Address or URL has been assigned an issueid, but there are no Reports matching that issueid.

Report ID

A SpamCop Report ID number is a unique number, as of this writing ten digits long like 1466329110, assigned by the SpamCop Parsing and Reporting System to a particular Report sent to a particular Administrator regarding a particular piece of a particular spam by a particular Reporter.

Please note that the Report ID numbers are keyed to your reporting account, such that someone else's Report ID numbers are pretty much useless to you for discussing the actions of the SpamCop Parsing and Reporting Service and they could be used to spam you, so you should avoid revealing them. The Moderation Team suggests that you discuss a Tracking URL instead - for instructions on how to get one, please see FAQ Entry: Getting a Tracking URL from a Report ID.

This is the address that should be used when replying to an email. It is frequently the same as the "From:" address, but just as often may be different. Note: some mail programs and/or individuals will use the "From:" address when sending a reply or bounce instead of the "Return-Path:" address.

Spammer have made it a common practice to use forged "Return-Path:" and "From:" addresses to protect themselves from receiving bounces from the mail that they send. One major problem with this is that the address used if often times a valid e-mail address. The ower of this forged address, AKA an Innocent Bystander may start receiving thousands of bounces in a single day cause by a single spam run that just happened to use use their address as a forged Return-Path address.

RFC

RFC stands for Request For Comments, but are usually what results from after the comments are done about a subject. RFCs are the rules of the internet, and e-mail.

Systems and users that do not comply with the RFCs can expect to have problems communicating on the internet.

RTFF

Read The Fine FAQ. Also, Read The F___ing FAQ in coarser circles. We currently recommend the SpamCop FAQ (about SpamCop), the SpamCop Forum FAQ (about these Forums), and the SpamCop Glossary (this document). There is also the quaint old cache of the original FAQ-O-Matic SpamCop.Net FAQ, if you're into history, and the still-under-development SC-FAQ.

RTFM

Read The Fine Manual. Also, Read The F___ing Manual in coarser circles. As SpamCop doesn't have a Manual per se, please RTFF instead.

Simple Mail Transport Protocol. This is how E-MAIL is transferred on the Internet.

SMTP connections are used by email client applications to transfer the message to the internet for delivery.

SpamCop Email service does not support remote SMTP connections. To send email using SpamCop's SMTP services, you must log into the WebMail application and send the message directly from that connection.

Spammers would love to sign up for spamcop and send spam just to discredit the service. You need to use your ISP's SMTP server or check out Jeff G.'s Hotspot SMTP-Auth Provider Status Report8 for other SMTP services.

SMTP-AUTH

SMTP-AUTH extends SMTP (the Internet e-mail transmission protocol) to include an authentication step through which the client effectively logs in to the mail server during the process of sending mail. Servers which support SMTP-AUTH can usually be configured to require clients to use this extension, ensuring the true identity of the sender is known. SMTP-AUTH is defined in RFC 2554.

SMTP-AUTH is currently in the beta stage of developement for the SpamCop Email Service.

SMTP Reject

This is where the receiving mail server refuses delivery with a code and a brief message to describe why.

This is now the only non-abusive way for a receiving network to indicate that a message will not be delivered.

A mail server that is the front end for other mail servers on a network now should have the ability to verify that the destination mail servers will accept the message, and this is possible with current technology for such complex systems.

spam, in our web based usage, should never be spelled "spam" which is a registered trademark of Hormel Foods (see http://www.spam.com/hp/hp_lg.htm) Additionally, unless grammar requires it spam should never be spelled "spam" as it is not a proper noun.

SpamCop is a comprehensive service offering something for everyone in the fight against spam. In this case, COP stands for Citizen On Patrol. SpamCop Reporters patrol their mailboxes and report the spam inside. SpamCop has the following component Services and Systems:

An email address that is never used to send or receive email, created for the specific purpose of "trapping" spam. spam Traps are used by those who maintain blocklists to identify spamming sources.

Spammers can discover spam Trap addresses through various means - the same ways that they use to get your email address. An email address that has been abandoned because of the amount of spam it receives is not considered a true spam Trap and should not be used for that purpose.

The SCBL (SpamCop Blocking List) uses spam Traps to identify the IP addresses from which unsolicited email comes, and is programmed to recognize and discard confirmation emails sent to mistyped addresses. The SCBL's algorithm for listing IP addresses applies a heavier weight to spam Trap hits than to Reports and as a result, spam Traps can cause IP addresses to be listed much faster and for longer time periods than Reports. spam Trap hits do not generate Reports, and therefore do not show up in the Report History.

SpamvertizedURL

A URL/URI displayed within spam which directs one to a web page that contains advertizing content or serves as a redirect link for the benefit of the spammer.

The displayed URI may be misleading as it often times is part of an html link that actually takes one to a totally different URL.

Not all URL's contained in a spam message are SpamvertizedURL's. Many are simply the URL's belonging to innocent bystanders which the spammer is using without permission for his own selfish purposes. Phishing spams normally contain numerous URL's belonging to a innocent bystander(s) which are used to make the message seem legitimate .

Tarpitting

Adding a delay in an SMTP conversation between mail servers in order to thwart spammers. A mail server can be set up to insert delays between messages when a single e-mail has a large number of recipients. It could send "X" number of messages without adding any delay, then start inserting a delay of 'X" seconds between additional messages. For example, if a five-second delay were added to a million messages, it would take 60 days to release them from the mail server. The term comes from "tar pit." If you fell into one, you would be slowed down.

The logic the SpamCop parser uses as it finds the right reporting parties for your spam. This can be helpful for advanced users who want to double-check SpamCop's logic, or for new users who want to learn from SpamCop's example.

This "future reference" URL is the "Tracking URL" .... As one of the IronPort "purchase" benefits has turned out to be the addition of some serious storage capabilities, the entire spam submittal is now stored (for some time). These days, things are made much easier when asking for some review, analysis, or assistance; simply copy this provided link and use it to point to the spam submittal in your query. This way, anyone looking to try to answer the query is looking at the spam submittal as the SpamCop parsing engine saw it, thus everyone is talking about the same data.

Normally following the word we (tinw) is the acknowledgment of the author that though implying to speak for the group (we), the reference is more correctly to be viewed as being from the individual perspective, and not as speaking authoritatively as a representative of a group; yet at the same time trying to express the understanding that the concept does belong to the group.

URI Uniform Resource Identifier

A Uniform Resource Identifier (URI) is a compact sequence of characters that identifies an abstract or physical resource. This specification defines the generic URI syntax and a process for resolving URI references that might be in relative form, along with guidelines and security considerations for the use of URIs on the Internet. The URI syntax defines a grammar that is a superset of all valid URIs, allowing an implementation to parse the common components of a URI reference without knowing the scheme-specific requirements of every possible identifier. This specification does not define a generative grammar for URIs; that task is performed by the individual specifications of each URI scheme.

A URI can be further classified as a locator, a name, or both. (see the following entries "URL" and "URN")

The term "Uniform Resource Locator" (URL) refers to the subset of URIs that, in addition to identifying a resource, provide a means of locating the resource by describing its primary access mechanism (e.g., its network "location").

Also please see Tracking URL as this is the most frequently requested item in the SpamCop forums which is an essential tool to help answer questions about the SpamCop parser.

URN Uniform Resource Name

The term "Uniform Resource Name" (URN) has been used historically to refer to both URIs under the "urn" scheme [RFC2141], which are required to remain globally unique and persistent even when the resource ceases to exist or becomes unavailable, and to any other URI with the properties of a name.

This phrase is seen in the reporting details for IP addresses. These "reports" are sent to uube[at]devnull.spamcop.net.

These reports appear to be the result of bounces that are hitting the SpamCop spamtraps and appear to be used to develop statistics on the number of bounces hitting the spamtraps.

Vacation Responders

A "nice" but dangerous feature found in many email client programs. It may be refered to by various terms, such as Out of Office Notice, Vacation Message, etc.

It will automatically send a prewritten reply to all messages received informing the "sender" that "you" have received the message but may be delayed in reading and or responding to the message.

In todays internet enviroment this has become a bad thing for several reasons; unless its usage can be programmed to deal with the problem of forged "from" / "reply to" addresses used in most spam. By automatically responding to messages with forged addresses, you risk having your mail server added to various blocking lists. This may be the result of replying to a spamtrap or to a victim who has now been buried by thousands of automatic replys from the millions of messages sent by a spammer who used their address (without permission) as a reply to address. The problem for you is that many ISP's and users to which you need to send email may automatically reject, flag, or delete your mail and the mail of all other users who happen to be using the same mail server as you to send their mail. In some cases you may received a notice that the mail was rejected, while in other cases the mail is simply automatically deleted without being processed.

The following definition hints at another reason to avoid the use of Vacation Responders:

A vacation responder is a service that you can set on many mail servers to automatically let criminals know that they can steal your identify for a specific period of time with out fear of getting caught. It allows them to steal anything from your company that someone else thinks you are authorized to mail with out your signature.

These criminals are also known to use voicemail vacation messages for this purpose.

A service that you can get as an answering machine from the phone company instead of a standalone box. Criminals are known to use vacation/out-of-office notices from these to successfully steal from companies.

Web-Bug

Web-bugs are used by spammers to track if a human read the message. If you have your e-mail system set to plain text, they do not work.

WebMail

SpamCop WebMail is an implementation of Horde IMP.

It is one of the three (four, if you count forwarding) methods for retrieving messages from a SpamCop Email Account. The other two are IMAP and POP3 which both require a local email client to use where WebMail uses a browser instead and provides full access to your SpamCop Email Account.

Viruses, worms, and anything that generates a mail message to the forged address in a worm or a virus.

This included misconfigured virus scanners, vacation/out of office autoresponders, and mail servers that bounce undelivered mail instead of using SMTP rejects.

Additional Sources for Glossary Information

The SpamCop Glossary is being limited to terms used within the SpamCop Forums. The following additional links provide far more information which may both help to better explain terms defined in the SpamCop Glossary as well as many more terms not included here. They are listed in no particular order.

Share this post

Link to post

Share on other sites

The DNSbl entry needs a 'lot' of work.ï¿½ Trying to figure out how/why I didn't rip into it a long time ago (haven't checked the archives to see how it got to be the way it is) .... For instance, read all the instances of "I.P" stuff, then look at the definition of "IP" <g> ....ï¿½ "A DNS server keeps track of I.P.s that meet the listing service's criteria." is just so wrong in so many ways .....

It is reopened for comments. The following is the current working version which will be updated as we go along.

<a name="DNSbl"></a>DNSbl

DNS based blocking system. A DNS server keeps track of IP addresses that meet the listing service's criteria. Also known as BLOCKING LISTS and BLACKHOLE lists.

Mail servers and other network servers can reference them to reject mail or connections, or to decided if they need to examine them further. They also can be used to indicate trusted IP addresses to accept mail or connections.

There are many DNSbls with different criteria.

The spamcop.net DNSbl lists IP addresses that spam has been reported to originate from. It is aggressive, and may list real mail servers.

Some list only IP addresses that have been shown to be compromised and abused by spammers. Others list IP addresses that are known to be controlled by spammers.

These are known as conservative DNSbls.

And some list IP addresses that are DHCP assigned. These are known as Dyanmic list and sometimes DIALUP lists. Many mail servers will not accept e-mail from these addresses.

There are also DNSbls that list all IP addresses for specific ISP's and countries.

Use of conservative DNSbls can block over 80% of the incoming spam usually with out any real e-mail being rejected unless the sender's mail server has a severe security problem. Adding a good DHCP blocking list to that can eliminate most of the remaining spam with a very small chance of rejecting a real e-mail.

An aggressive DNSbl can be used to indicate if additional tests should be done on an incoming e-mail to see if it is spam or real e-mail.

Share this post

Link to post

Share on other sites

A Manual Report is a Report that you construct and send by hand. Manual Reports should be sent for cases where you can't or shouldn't send a SpamCop Report. These cases include, but are not limited to:

Network Abuse that is not spam

Viruses

Worms

Worm Poop

Bounces

.......

Since Bounces are now considered reportable, should they be removed for the Manual Report List?

Share this post

Link to post

Share on other sites

[p.s.] I have no idea how to get the dictionary into edit mode either (nor any password/credentials I suppose would be needed), neither do I have a password permitting file uploads to the forum (simply replacing http://forum.spamcop.net/dict/tinw.html with an edited copy should do the job, subject to any permissions/protections).

Share this post

Link to post

Share on other sites

The dictionary predates the Wiki and was just one more of the tools Wazoo came up with to improve on the forum. I imported the majority of the information directly from the Forum Glossary. Then Wazoo came up with the Wiki and I copied the entries once more to the Wiki. For a while I was maintaining all 3 glossaries, but eventually gave up on the dictionary finding the Wiki to me a much better system for information.

Here is copy of Wazoo's original post in the MemberP forum announcing the dictionary

Going to start here to get the nasty part of the "tear it up" routine out of the way. dbiel did most of the heavy lifting, I'm still working out some issues with it, but ... think it's far enough into the process to start asking for more abuse <g>

2. Screen formating is a bit wonky, some unusual combinations of code, string/line length calculations, browser display settings, etc. all play with each other ....

3. Some HTML codes fly, others don't ... for instance, I'm still trying to fathom how to actually get some text (in the definitions) to flip colors, not there yet ...

4. Some parsing issues with data entered, for example "/dev/null" went in just fine for dbiel's insert mode, but .... no clear way to ever get it displayed that way

5. Developer doesn't actually seem to exist these days ... the support forum for this app seems to be yet another place where I'm answering more questions than receiving answers to my queries. http://www.phpdictionary.com/support/ (Just made another Reply there while grabbing the link <g>)

6. Still unsure of leaving it 'standalone' or trying to move it to 'within' the Forum.